I’m posting a rant today. I’d like to start out by saying that I love the opensource communities. I owe my life to them. Because others have so graciously given me their hard work for free, I have the great career that I have and love. I appreciate those who are focused on creating a climate of creative innovation. I’ve recently run into a few people who don’t share that same appreciation.
To take a quick detour about the subject I’m about to talk more about, I’d like to also discuss clinical depression. I suffered from it as a teenager. I wouldn’t be here had my mom not caught me in the middle of the night, knife in hand. When a person is clinically depressed, the world appears different. Simple, easy tasks seem mundane and difficult. Communicating with others in a positive manner is challenging. For the past few years, I feel like I have been slipping back into depression. I know I need to get this taken care of.
Oliver and I would love to be employed full-time by the HardenedBSD project. We started it because we’re both passionate about security. If I talk about selling devices, receiving donations, etc, it’s not because I’m trying to “sell out.” It’s because I absolutely love this work and would love to do it full-time. We’re slowly putting together the pieces to make that a reality.
Oliver and I have also taken the stance that we want HardenedBSD everywhere. We will remain neutral to third-party vendors and projects for the foreseeable future.
A couple months ago, I started researching the best FreeBSD-based firewall distributions on which we could base the hardware we want to sell. We would migrate the distribution to using HardenedBSD and add various proprietary security features. My research came down to either pfSense or OPNSense. I’ve been a big fan of pfSense when I used it for the first time in 2008. However, they (to this date) have zero official documentation for creating custom builds. When I approached one of the pfSense developers about it, he never answered the question of whether there would be such documentation. I would have loved to use pfSense. But with no documentation, I’d rather put my focus elsewhere. Remember, though, that HardenedBSD is vendor-neutral.
OPNSense, however, had decent documentation about their build process. Though the project is in its infancy, I thought I’d give it a try. With a bit of effort and a little hair pulling, I finally got builds to work. So naturally, with OPNSense builds working, I finally chose OPNSense instead of pfSense. It all came down to one thing: proper build documentation.
During the time I was working on OPNSense + HardenedBSD integration, pfSense approached me about doing experimental builds–doing the same thing I’m doing with OPNSense. Of course, they would produce the builds since they have no custom build documentation. Even though I would have liked to have been involved with the build process (and even creating the documentation for them if they’d step me through the process once or twice), I was happy that they had even offered. I didn’t have to approach them, asking them to do the builds. They came to me. Flattering.
I sometimes tweet about vulnerabilities in projects that I actively use or find interesting. I had read a vulnerability report that came out about pfSense. More interested in the vulnerabilities themselves, I skipped over the paragraph that mentioned which versions were vulnerable. I tweeted that I was glad that I was switching my home network from pfSense to OPNSense, especially given this particular vulnerability report. Apparently, the pfSense guys took offense to that, thinking I was trying deliberately to harm the pfSense project.
When I admitted that I mistakenly skipped over the version information, the pfSense community occused me of lying, that I’m trying to sabotage pfSense and market OPNSense. How am I supposed to prove via Twitter that it was an honest mistake? There’s absolutely no way to prove that my eyes literally skipped that paragraph. Eventually, even the cofounder of pfSense joined in on the fun of disrespecting me.
Remember that, up to this point, I loved pfSense. I was flattered that they came to me to investigate experimental builds on top of HardenedBSD. Also remember that HardenedBSD is vendor-neutral.
They (the pfSense guys) claim that I’m trying to market OPNSense by being negative towards pfSense. That was not my intention at all. My intention was to convey excitement over eating my own dogfood (the OPNSense + HardenedBSD builds) and a sense of urgency given the vulnerability report. But the pfSense guys will believe what they want to believe (and thus market for themselves).
Given that the cofounder joined in on their definition of fun (disrespecting me), I now want nothing to do with pfSense. Prior to this experience, I was completely excited to help them provide experimental builds on top of HardenedBSD. But now, if they want to do it, they’ll be doing it on their own, with no help from us.
This is a prime example of how not to interact with your community, especially members of that community willing to dedicate their spare time to helping you out. You can rest assured that HardenedBSD will never, ever treat its growing community like this.
I’ll admit that I made mistakes on my end, too. I shouldn’t have skipped right to the vulnerabilities and read the report in its entirety. I should have thought “how would the pfSense guys perceive this tweet” before tweeting what I did. Given my current issues with depression, it was hard not to react the way I did. I regret the way I acted, but I feel I couldn’t control it. I promise to work on it when future issues pop up (and life has taught me they will). When I’m tired and depressed, I’m not the most effective communicator. It’s a skill I need to improve upon.
So, pfSense people, if you’re reading this, please treat your community better than you’ve treated me. I’m likely never to contribute to you because of this one incident–mainly because the cofounder was involved. You don’t know who you’re pushing out and what innovations you’re stifling by the way you’re treating people. I promise to do better on my part. Please consider doing the same.
08 Jun 2015 18:01 EDT - I have talked with one of the pfSense developers. We are working things out. I have personally apologised to him for any offenses I have made towards him or the pfSense project. I’d like to reiterate that my intentions were never malicious.